[snip]
>
> To clear things up completely: this is an addition to the existing
> SafeBrowsing feature in Firefox. This feature augments what the current
> one can detect, but will involve sending out URLs in pings.
>
> Based on Moheeb's reply (in this thread), I think we should move ahead
> with implementing this for our windows users. It seems to me, and
> please chime in if I'm out of line here, that we should:
>
> 1. Stand up a proxy that handles both pings and list updates.
Perhaps I didn't get it right. Is there a difference (e.g. updated more
frequently or region specific) between this whitelist and the
safebrowsing list? If there is only one current whitelist at time
delivered to all clients, mozilla can host this list instead of being a
proxy. Wouldn't that be more efficient?
> ** This proxy would strip the last octet out of IP addresses for pings
I'm not an expert here, but would that be sufficient for IPv6?
What about the "browsers fingerprint" (user agent etc.)? Will this kind
of informations be stored by mozilla and/or be transmitted to google?
Personally, I still prefer opt-in.
> ** Firefox then pings us (the proxy) instead of Google directly
> 2. Explore tying in other reputation systems via the proxy
> 3. Document the endpoints in detail so users/enterprises can select to
> use Google directly (probably via about:config prefs) or choose an
> alternate reputation service provider.
>
+1
But in order to disable the application reputation system (ARS) there
will be an additional checkbox in preferences => security ?
Can a user decide, by enabling checkboxes, to only use the whitelist
part of the system ans disable the "sending URL" part?
Something like this:
(x) Safebrowsing
(x) Application Reputation System (daily updated local whitelist only)
( )Allow additional queries
( ) to <provider> via mozilla (proxy)
( ) directly to <provider>
If there are different ARS providers, <provider> could be a dropdown-menu?
I think the user should be informed, if and what steps are taken, e. g.
with a text in the download history for each file.
examples:
a. ARS not applicable (no executable file)
a. ARS disabled (binary not checked)
b. binary whitelisted from <provider> on <date of last whitelist update>
c. binary checked on <date> after ping to <provider> (via mozilla)
Quoting part of my own mail from June, the 13th:
"Google or anybody who gets exclusively informations about the "download
behavior" of millions of users can at least use this advantage to
redirect its resources in software development or marketing money to
hold down emerging competitors. Is mozilla willing to assist?"
This issue has not been considered yet. Aren't there implications
regarding to competition/antitrust law? Only changing IP adresses
doesn't help here.
A question to the professionals: How likely are other competitive ARS
service providers besides google in the future?
> Sound good?
>
> -Sid
>
All the best.
user s.
[snip]
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
